Sunday, May 31, 2009

Cyberspace Security Review

On Friday (May 29, 2009) President Obama announced the nation’s plan to defend against attacks on the nation's computer networks; a “strategic national asset.” This plan includes appointing a Cyber-Security Chief, whom he has not yet chosen, in the White House. Obama will sign a classified order within the coming weeks that will create the military cybercommand.

He stated that cyber-criminals have cost US citizens over $8 billion worth of stolen data and that the figure worldwide was up to $1 trillion.

The announcement came with the release of the Cyberspace Security Review, a 76 page document that had 60-days to be completed from the date of the initial request. The Cyberspace Security Review explains how the US intends to secure its critical network infrastructure. It was stated that the review was necessary because, “America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration”, and that, “our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”

The Cyberspace Security Review made the following 10 recommendations for near-term action:

  1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
  2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
  3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
  4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
  5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
  6. Initiate a national public awareness and education campaign to promote cybersecurity.
  7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
  8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
  9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
  10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

What is promising about the Review is that there's repeated focus on outcomes as opposed to the inputs. Too often forward progress is hindered by the inefficient efforts of trying to define process before goals and objectives are clearly defined and understood. Rather, the Review consistently attempts to make it clear what the strategic outcomes are, and from those objectives, the development of process will be guided.

The Review also states, “Other structures will be needed to help ensure that civil liberties and privacy rights are protected.” The inclusion to help protect our privacy and civil liberties is an indication of the balanced intention of the plan.

Money will also be set aside for research and development of security technologies, from which there will be significant opportunity.

What I'm not certain about is the overall effectiveness the Cyber-Security Chief will have. Specifically, the position will not have direct access to the president. As a result, this position may not be high-level enough to prevent the almost certain bureaucratic nonsense, internal bickering and games that could waste millions/billions of dollars.

Though the Review solely focusses on defensive measures, I'm also curious what efforts are underway, if any, towards the development and potential use of cyberweapons.

Overall, the document doesn't suggest that there will be any major changes that will affect the private sector within the near term. The Review recommends specific changes to the direction of future US policies. Within the mid-term I imagine that lawmakers will develop regulations that will require the sharing of security incident data from the private sector with the government, presumably tempered with the commitment to ensure civil liberties. I anticipate that we will also see more emphasis put towards penetration testing and incident response.